diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2011-January/002053.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2011-January/002053.html | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2011-January/002053.html b/zarb-ml/mageia-sysadm/2011-January/002053.html new file mode 100644 index 000000000..0d05b7710 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-January/002053.html @@ -0,0 +1,156 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] [779] allow to use multiple group for the access with pam + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B779%5D%20allow%20to%20use%20multiple%20group%20for%20the%20access%0A%09with%20pam&In-Reply-To=%3C20110113181231.7F5B54237B%40valstar.mageia.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="002052.html"> + <LINK REL="Next" HREF="002054.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] [779] allow to use multiple group for the access with pam</H1> + <B>root at mageia.org</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B779%5D%20allow%20to%20use%20multiple%20group%20for%20the%20access%0A%09with%20pam&In-Reply-To=%3C20110113181231.7F5B54237B%40valstar.mageia.org%3E" + TITLE="[Mageia-sysadm] [779] allow to use multiple group for the access with pam">root at mageia.org + </A><BR> + <I>Thu Jan 13 19:12:31 CET 2011</I> + <P><UL> + <LI>Previous message: <A HREF="002052.html">[Mageia-sysadm] [778] add a reverse proxy class +</A></li> + <LI>Next message: <A HREF="002054.html">[Mageia-sysadm] [780] move the type of access_class to deployment ( as this is tied to our group name ) +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#2053">[ date ]</a> + <a href="thread.html#2053">[ thread ]</a> + <a href="subject.html#2053">[ subject ]</a> + <a href="author.html#2053">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Revision: 779 +Author: misc +Date: 2011-01-13 19:12:31 +0100 (Thu, 13 Jan 2011) +Log Message: +----------- +allow to use multiple group for the access with pam + +Modified Paths: +-------------- + puppet/modules/pam/manifests/init.pp + puppet/modules/pam/templates/system-auth + +Modified: puppet/modules/pam/manifests/init.pp +=================================================================== +--- puppet/modules/pam/manifests/init.pp 2011-01-13 18:12:29 UTC (rev 778) ++++ puppet/modules/pam/manifests/init.pp 2011-01-13 18:12:31 UTC (rev 779) +@@ -43,13 +43,20 @@ + content => template("pam/ldap.conf") + } + } ++ ++ define multiple_ldap_access($access_classes) { ++ include base ++ } + +- # beware , this two classes are exclusive ++ # beware , this two classes are exclusives ++ # if you need multiple group access, you need to define you own class ++ # of access + + # for server where only admins can connect + class admin_access { +- $access_class = "admin" +- include base ++ multiple_ldap_access { "admin_access": ++ access_classes => ['mga-sysadmin'] ++ } + } + + # for server where people can connect with ssh ( git, svn ) +@@ -59,8 +66,11 @@ + # user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) + # so the file must exist + # permission to use svn, git, etc must be added separatly ++ + include restrictshell::shell +- $access_class = "committers" +- include base ++ ++ multiple_ldap_access { "committers_access": ++ access_classes => ['mga-commiters'] ++ } + } + } + +Modified: puppet/modules/pam/templates/system-auth +=================================================================== +--- puppet/modules/pam/templates/system-auth 2011-01-13 18:12:29 UTC (rev 778) ++++ puppet/modules/pam/templates/system-auth 2011-01-13 18:12:31 UTC (rev 779) +@@ -9,13 +9,13 @@ + + + account sufficient pam_localuser.so +-<%- if access_class == 'admin' -%> +-account required pam_succeed_if.so quiet user ingroup mga-sysadmin ++# not sure if the following bring something useful ++account required pam_ldap.so ++<%- if access_classes -%> ++<%- access_classes.each { |ldap_group| -%> ++account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %> ++<%- } -%> + <%- end -%> +-<%- if access_class == 'committers' -%> +-account required pam_succeed_if.so quiet user ingroup mga-committers +-<%- end -%> +-account sufficient pam_ldap.so + account required pam_deny.so + + +-------------- next part -------------- +An HTML attachment was scrubbed... +URL: </pipermail/mageia-sysadm/attachments/20110113/68ffbda3/attachment-0001.html> +</PRE> + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="002052.html">[Mageia-sysadm] [778] add a reverse proxy class +</A></li> + <LI>Next message: <A HREF="002054.html">[Mageia-sysadm] [780] move the type of access_class to deployment ( as this is tied to our group name ) +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#2053">[ date ]</a> + <a href="thread.html#2053">[ thread ]</a> + <a href="subject.html#2053">[ subject ]</a> + <a href="author.html#2053">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |